DoJ, FBI set up command-and-control servers, take down botnet

The Department of Justice and FBI have taken down the Coreflood botnet. Not …

Past efforts at killing botnets—the large networks of computers running malicious software to send spam, flood websites with traffic, and steal personal data—have managed to disable the networks by taking down important servers, but they've always stopped short of actually killing the botnet software itself. That's because the companies behind these efforts have no more legal authority to run unauthorized software on users' machines than the botnet owners do—to remove the botnet software would make them just as guilty of hacking as the bad guys are.

The result is that while efforts such as Microsoft's disruption of the Waledac and Rustock botnets were successful, they were far from perfect. These efforts left the malicious software running on the infected PCs—they just removed the command and control servers, the centralized machines that tell the botnet what to do. Should the bot herders regain control of the domain names or IP addresses used by the command-and-control servers, the infected machines will be able to successfully connect to them, and the networks will once again spring into life.

A new Justice Department attack will go some way towards solving that problem, at least for the botnet known as "Coreflood." A federal judge has authorized the non-profit Internet Systems Consortium, working in conjunction with the FBI, to go beyond taking down the command-and-control servers: the ISC has installed its own command-and-control servers. The command the servers are sending? Kill the botnet malware. The servers were swapped out on Tuesday evening, and the kill command was duly sent.

The kill command still stops short of removing the malware altogether—each time an infected PC is rebooted it will try to restart the botnet software. But every time, the new command and control servers will tell the software to shut down, preventing it from causing any more harm.

In tandem with this effort, Microsoft has updated its Malicious Software Removal Tool to enable it to remove the Coreflood malware itself. Some users will likely receive this tool through Windows Update, but to ensure greater reach, the new command and control servers will record every IP address that tries to reach the command and control servers. This IP address information will be used to inform ISPs that machines are infected. In turn, the ISPs will inform their end users, and provide information on where to get the MSRT.

Users will also be able to opt out of the entire process, if they would prefer to let the malware continue to run on their PCs.

Coreflood was a particularly nasty botnet. Rather than merely sending spam, it stole banking and other financial information from infected systems. This harvested information was then sent to the command-and-control servers, and according to court filings, allowed criminals to steal hundreds of thousands of dollars from victims. The Coreflood software has been around since 2003, receiving regular updates in an effort to keep one step ahead of anti-malware software. It started out as a regular trojan—a program that masquerades as something useful but which actually does something harmful—before gaining botnet capabilities in 2009. Over the course of its life, more than two million machines were infected.

Though this aggressive move is likely to be effective in combatting the botnet, not everyone is convinced that it's an appropriate path to go down. Speaking to Wired, Electronic Frontier Foundation technology director Chris Palmer described it as an "extremely sketchy action to take," warning that "you don’t know what's going to happen for sure. You might blow up some important machine."

Aggressive as it was, other nations have gone further to fight the botnet menace. Last year, Dutch and Armenian law enforcement made a joint effort to kill off the Bredolab botnet. In this case, the Dutch authorities installed their own command-and-control servers, using them to distribute a program to infected computers that would redirect users to a website giving specific information on how to disinfect their computers. This seemed to work well, with authorities reporting more than 100,000 visits to the site.

There's no word yet on how effective the Justice Department's plan has been. If manual outreach proves effective then there may be no need to go one step further as the Dutch did. But if persistent infections continue to be an issue—as they are with Rustock and Waledac—then American law enforcement may well be tempted to take more proactive measures against the botnets, in spite of the concerns this raises.

Yah, I think I'm with RaveBomb, better to kill a known threat with potentially servere consequences than not; inaction might be worse than action. It's not black and white; something to discuss with your geeky friends this friday night at the pub.

I approve. This is a non-invasive action and does not directly modify user's machines. The fallback of the government notifying the ISPs of infected IP addresses and letting the ISP internally decide how to handle that information is a further positive step. I LOLed at the "opt out" option... Typical tin-foil hat pacification effort.

Granted, this will not work for long, and could be dangerous. Now that hackers know the gov't tries this tactic, they could just as easily program the bot to instead of responding kindly to to a shutdown command, it might perform some horrible action instead, possibly delayed by say several weeks or months to avoid lab testing methodologies looking for such time bombs.

I do very much like the effort to try to find infected machines, by not just taking out a control server, but also recording all reporting bots for some time either before or after kicking it down, and then more proactively trying to hunt down the remnants. ISPs are likely to support this as well as a lot of the active net traffic is from bots, and certainly people want to be informed if they have one too.

This is the most minimalistic approach, and least invasive and risky thing I believe could have been done. To go that slight step further and simply inform people openly "Your government makes active attempts to disable and disrupt botnets on distributed PCs identified as trying to connect to a known control server. Your government is not directly manipulating your software, however it is possible a bot network may react poorly to being disabled in this way. To protect national security and the people, the government will disable these networks actively. As a precaution, we of course recommend you maintain good backups of your PC, and use sound judgment when providing private or secured information to web sites or software." With such a disclosure, the only people at any major risk of a botnet backlash are people who a) got infected and b) didn;t take the government's advice and back up properly, after being warned. I think the security outweight the risk when accompanied by a public knowledge warning.

Now, where i would draw the line: The government remotely disabling services, directly removing software, active direct monitoring of my machines, allowing my ISP to disconnect me in any way prior to me being given a choice to be and a confirmed response (ISPs kicking people offline, or locking them in quarantined networks, based on 3rd party reports of possible infections is a big No No. If I want them to cut me off because I'm having trouble removing a confirmed infection, that's one thing, but they should not be allowed the power to arbitrarily cut people off for ANY reason, even a known infection, nor be allowed to charge people any fees if they opt to stay both online and infected).

If it's enabled for updates.... Many people, especialyl those on dial up and slow DSL, and those who leave their PCs off when not in use do not want auto-updates interfering with their limited bandwidth, and they turn it off completely.

I think this is great. Since every machine in the botnet is calling home it makes a lot of sense to inform whatever end users they can identify that they are infected. Odds are the malware removal tool is going to find that these machines are in several different botnets or infected by other malware.

I think this is great. Since every machine in the botnet is calling home it makes a lot of sense to inform whatever end users they can identify that they are infected. Odds are the malware removal tool is going to find that these machines are in several different botnets or infected by other malware.

Not sure where the EFF guy is coming from here.

I have to wonder how you would inform users that they are infected. I mean, what do YOU do when an unexpected dialog box pops up on your screen that says "You have been infected!" lol Though I suppose it wouldn't be difficult to make it appear more legitimate.

If it's enabled for updates.... Many people, especialyl those on dial up and slow DSL, and those who leave their PCs off when not in use do not want auto-updates interfering with their limited bandwidth, and they turn it off completely.

I'd add a 3rd catagory to the list. People with slow single core machines. My uncle bought cheap single core AMD boxes for his kids about 2 years ago, windows update gobbles enough CPU (and disk IO?) resources to render the computer virtually unusable while installing stuff. This's caused issues for keeping them patched since I can't set WU to just run in the background. 2 of the machines are set to DL and install patches on shutdown, but this runs into problems with the kids hitting the power button instead of shutting down safely. The only one I'm confident about being patched regularly belongs to the kid who forgets to turn it off when she's done, and which I was able to set to update itself overnight.

Just like white collar crime, if the penalties were as stiff as violent crimes (that often result in far less loss than the white collar stuff, violence aside), would go a long way towards deterrence

Most of these botnets are managed from foreign countries, so laws in the US won't apply. It's not like we can just convince the Russians to stop taking payoffs from the Russian mob to look the other way. They allow them to get away with far worse than spam.

1: The owner of the compromised computer isn't competent to take care of the problem.

2: The owner doesn't care that their computer was compromised.

In either case, the DOJ should have the right to blow away the software, as long as it doesn't damage any data on the computer, or leave it open to other threats.

Sending the owner messages is problematical for two reasons. Who trusts such messages today? Nobody in their right mind. Second, such a practice will no doubt eventually be co-opted by spammers to spread their malware, because people will have a reason to believe such a message is in fact accurate.

Don't collect any personally identifiable information off the computer, other than its IP address (and purge it after six months?) and go after such computers the way they do random drug tests or random roadblocks looking for drunk drivers. That should be litigation-proof.

The EFF is, unfortunately, an absolutist organization that is too idealogical for my taste. That's why I won't donate to their cause most of the time. They're too much like PETA, Greenpeace, anti-abortion groups, the tea party, and others who brook no compromise. Either side of the political spectrum, such organizations limit their own effectiveness by their impeccabilis.

If it's enabled for updates.... Many people, especialyl those on dial up and slow DSL, and those who leave their PCs off when not in use do not want auto-updates interfering with their limited bandwidth, and they turn it off completely.

^ this with my Dad. He says that every time he tries to use his laptop to write a letter or send an email it wants to install Windows updates, install an Adobe Flash update, install an AV engine update, scan the hard drive, install a Firefox update, et cetera. Don't even get him started on how he needs to update firmware every time he tries to watch a Blu-Ray movie. This is one thing Google did right with Chrome.

I tried setting him up so that Windows Updates would automatically install and reboot, but then it did so while he was in the middle of writing an unsaved letter. Come on Dad, save and backup your documents FFS! Yeah, not going to win that argument.

Personally I like knowing everything my computer is doing but my Dad is older and like many other people is not a technically adept person, he just wants to write a letter or send en email without having to update shit every time he turns it on. I hate to admit it but I think Chromium OS and it's cloud console approach might just be perfect for him.

The government/CERT could launch a PR campaign and define quarterly "Notification Days". So March 21st you get a pop up saying "Call this number, with this ID, to get more info on the issues associated with your machine". If it is publicly known, and publicly accessible so that the general public is aware and easily able to follow up without there being a direct link (since that would be the simplest vector for bogus warnings to reinfect) then it could be doable. Certainly a large enough population would be picked up to have some measurable effect on the size.

Additionally, I don't have any issue with an ISP agreement that says "If you have malware on the government list we reserve the right to restrict your access until it is resolved, unless you have a verifiable need to run said malware". By keeping it to a CERT run list then you have a basic sense of expert classification (so Google couldn't get the Bong toolbar listed, as a too obvious example). I'd be down with that; hell-its putting a lot of that good work right into the public hands, upping the ROI on that budget line item (especially when you factor in the hypothetical "Billions $ lost due to malware" numbers that get thrown around.

The EFF guy is probably worried about slippery slope issues. If it's okay for the government to unilaterally remove malware from remote machines, it's not a large jump (from a legislator or MAFIAA lobbyist viewpoint) to deleting ripped movies, etc.

Rather than shutting it down why don't they reprupose it for something good? Like they could make all these bots crack some really hard encryption? ...or use the bots to analyze data looking for extraterrestrial life! I bet there are all sorts of things a bot net lile this could help analyize Then when the time came and they needed a bot net for something even more important like launching a cyber attack against heathen enemies like Russia, China or even Mexico they could use these bots to do so?

Rather than shutting it down why don't they reprupose it for something good? Like they could make all these bots crack some really hard encryption? ...or use the bots to analyze data looking for extraterrestrial life! I bet there are all sorts of things a bot net lile this could help analyize Then when the time came and they needed a bot net for something even more important like launching a cyber attack against heathen enemies like Russia, China or even Mexico they could use these bots to do so?

/sarcasm

I know you're joking, but a few years ago some sad sack actually did setup a botnet to run boinc (the platform used by dozens of DC programs including SETI) on several hundred computers. He got busted after one of his victims noticed boinc running and went to the support forum for the science app it was running to try and figure out WTF it was.

The EFF guy is probably worried about slippery slope issues. If it's okay for the government to unilaterally remove malware from remote machines, it's not a large jump (from a legislator or MAFIAA lobbyist viewpoint) to deleting ripped movies, etc.

It's more likely a precedent and decision making issue. Allow the Government to modify files on your computer when they're "malicious" and you're left asking who defines malicious? An argument could be made that someone hosting a webserver critical of the government is running "malicious software" that the government believes the world could be better off without. Essentially it boils down to defining what can and can not be done. You're either left with overly specific rules that end up being ineffectual, or overly broad rules that fail to protect against abuse. Most people probably trust the current government to handle the removal of malicious software, but it's not about the current government, it's about what might happen in the future.

Rather than shutting it down why don't they reprupose it for something good? Like they could make all these bots crack some really hard encryption? ...or use the bots to analyze data looking for extraterrestrial life! I bet there are all sorts of things a bot net lile this could help analyize Then when the time came and they needed a bot net for something even more important like launching a cyber attack against heathen enemies like Russia, China or even Mexico they could use these bots to do so?

/sarcasm

I know you're joking, but a few years ago some sad sack actually did setup a botnet to run boinc (the platform used by dozens of DC programs including SETI) on several hundred computers. He got busted after one of his victims noticed boinc running and went to the support forum for the science app it was running to try and figure out WTF it was.

<tinfoilhat> The "shut down command" is just a cover story. The government is really taking complete control of the botnet and using it for domestic and international espionage. It's part of their international cyber warfare army. </tinfoilhat>

The EFF guy is probably worried about slippery slope issues. If it's okay for the government to unilaterally remove malware from remote machines, it's not a large jump (from a legislator or MAFIAA lobbyist viewpoint) to deleting ripped movies, etc.

No more so than allowing MS to patch windows, remove malware with MSRT, or tell your copy of windows to nag you about it being "Not Genuine".

MPAA etc.. are not going to convince MS to make Windows scan and remove questionable movies and music. The legal implications of that are staggering... Tho knowing the MPAA, they have approached MS about it and were sent packing.

The fact is, if your machine is already owned it is talking to the botnet servers. The FBI and the DoJ took over the control servers and are telling the bot to shut down.

The EFF are shrill, whiny elitists.... I swear, the Electronic Frontier Foundation wants the Internet to be exactly like the American frontier... no laws, no rules, no oversight. If they had their way, we'd all run GNU/Linux, have to build everything from source, and there would be NO automatic updates or patching... because no one should touch your machine but you!

Uhh... wouldn't Dutch and Armenian hackers start to install a program through their botnet, pretending to be the law enforcement, to send people to a fake government page to install more bots and/or steals more user information? If a user already got infected by a bot, what's the chance that they are smart enough to distinguish a real government website and a fake government website?

==========in other thoughts, maybe US law enforcement should sell the bot net to RIAA so RIAA can flood the torrent sites with DDoS, or use the botnet to see who's been infringing on their copyright. I mean 1)RIAA already control the FBI/ICE/police already, so why not and 2) US gov is looking for revenue anywhere they can find.

Actually, did I just gave a really, really bad idea to RIAA and US gov?

The EFF guy is probably worried about slippery slope issues. If it's okay for the government to unilaterally remove malware from remote machines, it's not a large jump (from a legislator or MAFIAA lobbyist viewpoint) to deleting ripped movies, etc.

No more so than allowing MS to patch windows, remove malware with MSRT, or tell your copy of windows to nag you about it being "Not Genuine".

MPAA etc.. are not going to convince MS to make Windows scan and remove questionable movies and music. The legal implications of that are staggering... Tho knowing the MPAA, they have approached MS about it and were sent packing.

The fact is, if your machine is already owned it is talking to the botnet servers. The FBI and the DoJ took over the control servers and are telling the bot to shut down.

The EFF are shrill, whiny elitists.... I swear, the Electronic Frontier Foundation wants the Internet to be exactly like the American frontier... no laws, no rules, no oversight. If they had their way, we'd all run GNU/Linux, have to build everything from source, and there would be NO automatic updates or patching... because no one should touch your machine but you!

No one should touch your machine without your permission is the actual thought, but keep on taking things for granted, I'm sure nothing will ever change socio-politically right?

++All the effort and money being spent trying to outmaneuver the botnet creators and implementers is wasted if they're allowed to just keep creating smarter and tougher botnets. The current law enforcement is obviously little deterrent. Needs to be ramped way up. Scary penalties combined with effective detection and enforcement are required, otherwise the escalating technological battle just keeps raining shit on everyone's head, no end in sight. Seriously, is there any realistic hope for a scenario where this garbage actually stops because of some brilliant and insurmountable technological defense? Hell no. Tired of being a herd of crash test dummies for this crap. Find them, punish them in a way that actually scares the rest.

1: The owner of the compromised computer isn't competent to take care of the problem.

Likely, but not a given.

Quote:

2: The owner doesn't care that their computer was compromised.

That's a huge assumption. No user, competent or not, wants their computer running slow and stealing their info and/or money.

Quote:

In either case, the DOJ should have the right to blow away the software, as long as it doesn't damage any data on the computer, or leave it open to other threats.

"The government should have the conditional right to remove software from your computer." No. To clarify, fuck no.

Quote:

Sending the owner messages is problematical for two reasons. Who trusts such messages today? Nobody in their right mind. Second, such a practice will no doubt eventually be co-opted by spammers to spread their malware, because people will have a reason to believe such a message is in fact accurate.

I agree that it's problematic. I think the people that DO trust such messages are the ones whose computers get infected in the first place, although once bitten twice shy and all that. However, notification through the ISP provides an avenue for a user to call for verification.

Quote:

Don't collect any personally identifiable information off the computer, other than its IP address (and purge it after six months?) and go after such computers the way they do random drug tests or random roadblocks looking for drunk drivers. That should be litigation-proof.

Isn't this what they did? Get the IP and notify the user, via the ISP, that they're infected.

willyu34 wrote:

Actually, did I just gave a really, really bad idea to RIAA and US gov?

No, they had that idea years ago, they're still working on how to make it legal.

No more so than allowing MS to patch windows, remove malware with MSRT, or tell your copy of windows to nag you about it being "Not Genuine".

It is absolutely a bigger deal for the government to unilaterally delete files than for the operating system vendor to apply updates. Even "the average idiot" can be expected to know that MS updates exist and can be turned off (indeed, most botnet-infected PCs probably aren't updating). Government remote access is clearly outside the commonly accepted boundaries here.

Quote:

MPAA etc.. are not going to convince MS to make Windows scan and remove questionable movies and music.

Which is exactly the point. Given the opportunity, lobbyists may well be able to convince the government to do things that other businesses would rather avoid. They have successfully done so many times (infinite copyright, DMCA, etc).

FWIW, I'm in favor of remotely stopping zombie PCs (either disinfection or disconnection) as a public safety issue, more worthwhile than highway traffic tickets. But I'm also very glad that the EFF is watching with a skeptical eye, ready to put up the good fight if/when someone pushes it a few steps farther.

Personally I like knowing everything my computer is doing but my Dad is older and like many other people is not a technically adept person, he just wants to write a letter or send en email without having to update shit every time he turns it on. I hate to admit it but I think Chromium OS and it's cloud console approach might just be perfect for him.

Rather then attempt to remotely kill the malware, I would prefer that the ISP would be given notice and quarantine the machine. The person would say, hey, my machine stopped being able to access the internet. Then they would have to get it fixed and would be forced to remove the offending software. If someone doesn't want to maintain their computer, they lose the right to interface with the rest of the public.

Personally I like knowing everything my computer is doing but my Dad is older and like many other people is not a technically adept person, he just wants to write a letter or send en email without having to update shit every time he turns it on. I hate to admit it but I think Chromium OS and it's cloud console approach might just be perfect for him.

Sounds like he just needs an iPad .

I've thought of that but how to do you write a Word document on an iPad? Does Google Docs work on it? Wow, I can't wait to try and explain the cloud concept to him!

Code:

Dad: but the Word document is right here, I can see it on my iPad so it must be stored in My Documents!

Me: No Dad, it is stored on Google's servers.

Dad: But if it is on Google's servers, how do I see it on my iPad? Where is Office on this thing?

If only I could get his mind to make that shift, it would blissful. Less family IT support all around.

I generally approve of this, but I would like to see some oversight. I am not comfortable with the FBI setting up servers that then provide instructions. How do we know for sure there isn't anything else going on?

"Mr. Paller applauds the U.S. Department of Justice (DOJ) and U.S. Federal Bureau of Investigations (FBI) efforts, stating, "This was big money stolen on a large scale by foreign criminals. The FBI wanted to stop it and they did an incredibly good job at it."

I think the article said that it was done with the help of a small country of Holland who originally came up with the idea of reverse engineering the virus. I just want to make sure that credit is given when credit is due. I hope Holland patented the idea for copyrighting the technique, if not I'm sure some American will and then take credit. All I can say is WOW, ten years and 100 million dollars later Holland helped break the botnet, so the FBI could finally break the case.